Understanding IP addressing is a fundamental skill for anyone entering the world of ethical hacking. Before scanning networks, identifying live hosts, or launching penetration testing tools, security professionals must understand how IP addresses are structured and how networks are organised.

One of the core concepts in networking is IP address classes. Even though modern networking relies heavily on CIDR notation which we covered in our last blog, understanding IP classes helps ethical hackers quickly recognise network sizes, identify internal infrastructures, and plan reconnaissance strategies effectively.

In this guide, we will explain IP address classes, how they work, and how ethical hackers use them during penetration testing and network reconnaissance.

What Are IP Address Classes

An IP address is a unique identifier assigned to devices connected to a network. In IPv4 networking, IP addresses are divided into different classes to organize network sizes and allocations.

These classes were originally designed to support different sizes of networks, ranging from extremely large global networks to small private networks used within organizations.

The five main IP address classes are:

  • Class A
  • Class B
  • Class C
  • Class D
  • Class E

For ethical hackers, the most important classes are Class A, B, and C, because they define the majority of real-world network infrastructures. Understanding these classes helps penetration testers identify how many hosts may exist in a target network and how large the attack surface could be.

Why IP Address Classes Matter in Ethical Hacking

When ethical hackers perform network reconnaissance, they must determine how the network is structured before scanning it.

For example, if a penetration tester encounters an IP address like:

10.20.15.5

An experienced hacker immediately recognises this as part of a Class A private network.

This indicates that the network may contain thousands of systems within the internal infrastructure.

Knowing the IP class helps ethical hackers decide:

  • How large the network might be
  • What scanning strategy to use
  • How to prioritize reconnaissance efforts
  • Which subnets to investigate

In real penetration testing engagements, reconnaissance often begins with commands such as:

nmap -sn 10.0.0.0/8

This command performs a host discovery scan across a large Class A private network.

1. Class A IP Addresses

Class A networks are designed for extremely large infrastructures.

Class A Range

1.0.0.0–126.255.255.255

- Default Subnet Mask

255.0.0.0

- Number of Hosts

Over 16 million hosts per network. Class A networks were originally assigned to large organizations, governments, and global service providers.

In ethical hacking scenarios, you will frequently encounter private Class A networks, especially in enterprise environments.

The most common private Class A range is:

1.0.0.0–126.255.255.255

Large companies often divide this range into multiple internal networks. Example reconnaissance command used by penetration testers:

nmap -sn 10.0.0.0/16

This command helps identify live hosts within a section of a large Class A network.

2. Class B IP Addresses

Class B networks are used for medium-sized networks such as universities, enterprises, and government infrastructures.

Class B Range

128.0.0.0–191.255.255.255

- Default Subnet Mask

255.255.0.0

- Number of Hosts

Approximately 65,000 hosts per network. Class B networks provide a balance between network size and manageability.

One of the most commonly used private Class B ranges is:

172.16.0.0–172.31.255.255

Ethical hackers often encounter this range when performing internal penetration testing.

Example network discovery command:

nmap -sn 172.16.0.0/16

This command identifies active hosts across the entire Class B subnet. Security professionals then follow up with deeper scanning:

nmap -sV -p- 172.16.10.0/24

This command scans all ports and identifies services running on discovered systems.

3. Class C IP Addresses

Class C networks are the most common type used in small networks. These networks are typically found in:

  • Small businesses
  • Home networks
  • Small corporate branches
  • Lab environments

Class C Range

192.0.0.0–223.255.255.255

- Default Subnet Mask

255.255.255.0

- Number of Hosts

Up to 254 hosts per network. The most widely used private Class C range is:

192.168.0.0–192.168.255.255

This is commonly seen in routers and internal LAN networks. Ethical hackers often begin reconnaissance in small networks with commands like:

nmap -sn 192.168.1.0/24

Once live hosts are discovered, penetration testers perform deeper scans. Example service detection:

nmap -sV 192.168.1.34

Example vulnerability scanning:

nmap - script vuln 192.168.1.0/24

4. Class D and Class E IP Addresses

Although ethical hackers primarily focus on Classes A, B, and C, it is useful to understand the remaining classes.

  • Class D

Range:

224.0.0.0–239.255.255.255

- Purpose: Multicast communication.

Class D addresses are used for streaming, broadcasting, and network multicasting.

  • Class E

Range:

240.0.0.0–255.255.255.255

Purpose: Reserved for experimental use.

These addresses are not typically used in standard networking environments.

How Ethical Hackers Identify Network Classes

During penetration testing, hackers often begin by identifying the IP structure of the target environment.

Tools like Nmap, Netdiscover, and ARP scanning utilities help map networks.

Example command to identify devices on a network:

netdiscover -r 192.168.1.0/24

Example using ARP scan:

arp-scan --localnet

Once devices are discovered, hackers move to service detection and vulnerability scanning. These reconnaissance techniques form the backbone of modern penetration testing.

IP Classes vs CIDR Notation

Modern networks typically rely on CIDR notation instead of traditional IP classes. However, understanding IP classes still provides valuable context for network analysis.

For example:

192.168.1.0/24

This CIDR range closely resembles a traditional Class C network.

Similarly:

10.0.0.0/8

Matches the private Class A network.

Build Strong Networking Foundations for Ethical Hacking

Networking knowledge is the backbone of ethical hacking. Without understanding how IP addresses and networks are structured, it becomes extremely difficult to perform reconnaissance, vulnerability scanning, or exploitation effectively.

IP address classes help ethical hackers understand network sizes, identify internal infrastructures, and plan penetration testing strategies.

From scanning Class C home networks to mapping large Class A enterprise infrastructures, networking fundamentals guide every stage of a security assessment.

If you want to go beyond theory and learn how professional penetration testers actually discover vulnerabilities, perform network scanning, and exploit systems, structured training can accelerate your learning.

The Masters in Ethical Hacking Course from Redfox Cybersecurity Academy teaches these techniques through practical labs, guided demonstrations, and real-world hacking workflows.

Start learning practical ethical hacking today: https://academy.redfoxsec.com/course/masters-in-ethical-hacking-93954

With the right knowledge and hands-on practice, networking concepts like IP address classes can become powerful tools for penetration testing and cybersecurity defense.